Debian Linux Security Advisory 2896-1 - A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory.
b46b7cdf2bdf994b775cf460ae5825957211930d6a2c4d11361546b5cd798cc0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2896-1 security@debian.org
http://www.debian.org/security/ Salvatore Bonaccorso
April 07, 2014 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : openssl
CVE ID : CVE-2014-0160
Debian Bug : 743883
A vulnerability has been discovered in OpenSSL's support for the
TLS/DTLS Hearbeat extension. Up to 64KB of memory from either client or
server can be recovered by an attacker This vulnerability might allow an
attacker to compromise the private key and other sensitive data in
memory.
All users are urged to upgrade their openssl packages (especially
libssl1.0.0) and restart applications as soon as possible.
According to the currently available information, private keys should be
considered as compromised and regenerated as soon as possible. More
details will be communicated at a later time.
The oldstable distribution (squeeze) is not affected by this
vulnerability.
For the stable distribution (wheezy), this problem has been fixed in
version 1.0.1e-2+deb7u5.
For the testing distribution (jessie), this problem has been fixed in
version 1.0.1g-1.
For the unstable distribution (sid), this problem has been fixed in
version 1.0.1g-1.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJTQxo1AAoJEAVMuPMTQ89ETBUP/0uAYS84ABbzCu16ZTHuCwk5
uVounKYCUbTVKxr/cTU8LzMbJo8Bhj3yQ47GUak6DlxzxVfsDXiEp2Q0/HV552Dm
gIoFQ1VpsQlCrmKLI1bINN9FYq28lAsfoo9xg4qtt/XrXzBfW98mlrQji/t4GBk2
ZYuRZxSDmrdNBH9QHzEESFZa4dDznDs2ZRqj9TjrFc3UM3tzsA22DR5N0hVjygQH
v/zud7A289u+cHG8SmnSI61y4+SCHcqHDegQhNmQkVBDL7M8Jsdgh8ocLsWQnn6f
Fn63upGG44sh4MaTXSShNbJAcXiYdIBr0S6yjISxH49G28aEAgl//JsvgIS7zRua
lvW/dYQ2QrgkBjixwLmPoggRaWjSUZ/pUrobVcPGkmXXIC2ee5YSFwEL3Lp/idOW
8u86A2mdVVVRmaP1xTRBKDzQ526T2JheulvCOBjWAk4APQDTd7yAaF4QJWr8SmCl
CGL9AH2Rs+Y8Kt9jjXgz53Nl93DUMasSRtiQTBIanPGFokmyj10nmUw2XswZjExK
6Mi/hjFmLPn4oPZNn3q0ibFoFSoh8TNkvdlpAeUXeuVriOl4e246hitMaHz+1EUb
oXHfSJOLdJRt/q0K7uOYzp7CwHILqPAohdDAG6QDFhZ+RxLo8nA8s4eALq75oHtV
7CY2KZqDzude99PH/N4B
=G+xD
-----END PGP SIGNATURE-----